DEV Community

Claude code
Claude code

Posted on

Securing Cursor and Claude Code in Enterprise: A Practical Checklist

What "Secure Cursor Claude Code Enterprise" Actually Means

Secure Cursor Claude Code enterprise is the practice of governing AI coding agents — specifically Cursor, Claude Code, and comparable tools — before and during execution across a development organization, so that agent-driven workflows cannot exfiltrate credentials, modify infrastructure, or produce an unauditable trail of automated actions. It requires two distinct controls: pre-execution scanning of agent Skills files for supply chain threats, and runtime guardrails that enforce policy on what the agent can read, write, and transmit while it runs.

Most organizations deploying these tools have neither. They have developers who cloned a project, found a .cursor/rules/ or .claude/skills/ directory, and started working — without anyone reviewing what those files instruct the agent to do.

This checklist covers the four controls that close that gap.

Step 1: Inventory Every Skill File Across Your Developer Fleet

Cursor stores agent rules in .cursor/rules/. Claude Code uses .claude/skills/ and analogous paths. Kiro, CrewAI, LangGraph, and the OpenAI Agents SDK each have their own conventions. The first step is knowing what Skills your developers are actually running — not what your security team thinks they're running.

Start by querying your source control for all files matching *.md inside known agent configuration directories. Grep for patterns like .cursor/, .claude/, .kiro/, and agent framework config files in your monorepo and in any third-party repos developers have cloned. What you find is rarely what anyone expected.

The risk isn't theoretical. A malicious Skill file buried in a cloned repository can instruct an agent to read ~/.ssh/id_rsa or ~/.aws/credentials and exfiltrate the contents using an outbound HTTP call — with no install step, no binary execution, and no antivirus alert. The agent executes it because that's what agents do: they follow Skills. CVE-2025-59536, a sandbox bypass in Claude Code, demonstrated how agents operating with file system access can be manipulated through crafted instructions to access files outside intended boundaries.

Inventory outputs should feed a registry: every Skill file path, its origin repo, the last commit that modified it, and the developer machines it's deployed on. Without that registry, you're governing blind.

Step 2: Set a Secure Cursor Claude Code Enterprise Scanning Baseline

Once you know what Skills exist, every new or modified Skill file needs to pass a scan before any agent executes it. This is the pre-execution layer — and it has a significant limitation you need to understand before you rely on it.

Most static scanners truncate file reads at roughly 3,000 characters. A Skill file that front-loads legitimate instructions and embeds a credential-harvesting payload at line 80 passes those scanners cleanly. Enkrypt AI's research on Skill files found this truncation behavior across multiple common scanning approaches, which is why Skill Sentinel was built to scan the full file regardless of length — not sample it.

Skill Sentinel, Enkrypt AI's open source scanner for AI agent Skills, runs static analysis across the entire file, not a truncated prefix. It flags patterns associated with supply chain attacks: exfiltration payloads, credential path traversal patterns, obfuscated instructions, and encoded commands that only expand when the agent interprets them.

Your scanning baseline should include:

  • A CI gate that blocks merges if any new or modified Skill file hasn't passed Skill Sentinel

    • A pre-execution hook that prevents the agent runtime from loading any unscanned Skill, even ones pulled via git pull mid-session
    • A centrally stored scan manifest that records which version of each Skill passed, when, and against which scanner version — so you can prove compliance and detect rollbacks

Treat a failed scan as a hard stop, not a warning. A Skill that triggers a supply chain flag should not be loadable by the agent, period.

Step 3: Configure Runtime Guardrails on Data Access, Command Execution, and Egress

Pre-execution scanning is necessary but not sufficient. A Skill that scans completely clean can still, at runtime, read ~/.ssh/ because a developer asked the agent to "help with SSH key management." The agent followed a legitimate instruction. Nothing in the Skill file was malicious. The data left the machine anyway.

Runtime guardrails enforce policy on the agent's behavior regardless of how that behavior was triggered. The OWASP LLM Top 10 (2025) lists excessive agency and insecure output handling among the highest-risk patterns in deployed LLM systems — both of which manifest specifically through unconstrained agent tool use. Three policy categories matter most:

Data access policy: Define which filesystem paths the agent is allowed to read. At minimum, restrict access to credential directories (~/.ssh/, ~/.aws/, ~/.config/gcloud/, .env files). Agents don't need SSH keys to write application code. An enterprise deployment should treat credential paths as deny-by-default with explicit override requiring human approval.

Command execution policy: Cursor and Claude Code can both execute shell commands. Define which command classes are permitted: package installs, test runners, build scripts. Flag or block commands that pipe output to external endpoints, write to configuration files outside the project directory, or invoke credential-handling tools like aws sts, gcloud auth, or vault without explicit approval.

Egress policy: Multi-step tool chains are the subtlest attack vector. An agent that reads a file, base64-encodes the output, and then uses a webhook call in the next step has exfiltrated data through three individually innocuous actions. No single step looks dangerous. Runtime guardrails need to evaluate sequences, not just individual tool calls — flagging when an agent reads a sensitive file and then makes an outbound request within the same session context.

Step 4: Build an Audit Trail That Reconstructs What the Agent Did

By default, AI coding agents leave no audit trail. You can see the code they wrote. You cannot see which files they read, which commands they ran, what data passed through the context window, or what outbound requests they made. For a security incident, that's a dead end. For a compliance audit, it's a gap you cannot paper over.

An enterprise-grade audit trail for AI coding agents needs to capture, at minimum: every file path the agent read during a session, every shell command executed and its output, every external HTTP request made by agent tooling, and the Skill files loaded at session start. These events need to be timestamped, attributed to a developer identity, and stored in a tamper-evident log.

At Enkrypt AI, we instrument this at the runtime layer so logs are generated by the guardrail system rather than the agent itself — which means the agent cannot suppress them. An agent that's been manipulated via prompt injection cannot tell the logging system to stop logging.

When you design your audit schema, build toward the questions an incident responder will actually ask: what did this agent read between 2:00 PM and 2:45 PM on this date, and did any of those reads involve credential files? What outbound requests were made from this developer's workstation by agent tooling this week? That's the reconstruction capability that makes audit trails operationally useful rather than just checkbox evidence.

Two-layer security — pre-execution scanning combined with runtime guardrails — is the only architecture that covers both the supply chain attack surface and the autonomous misbehavior surface. Scanning without runtime governance leaves clean-but-misused Skills uncontrolled. Runtime governance without scanning lets malicious Skills load before any policy kicks in. Your deployment needs both.

Frequently Asked Questions

Is Cursor secure for enterprise use?

Cursor is a capable development tool, but it does not ship with supply chain controls for the agent Skills files it executes. Whether Cursor is appropriate for enterprise use depends on the controls your organization adds on top: pre-execution scanning of Skill files, runtime guardrails on file access and command execution, and an audit trail of agent actions. Without those layers, Cursor has the same attack surface as any other AI coding agent that executes instructions from markdown files in your repository.

How do I audit Claude Code Skills?

Start by inventorying all .claude/skills/ files across your repos and developer machines. Then run each file through a full-file scanner — not one that truncates at 3,000 characters, since attacks are often embedded beyond that threshold. Log every Skill file that loads at agent startup and record its hash against a known-good manifest. Any file that hasn't passed a current scan should be blocked from loading. Audit logs should also capture which Skills were active during any session where the agent accessed sensitive file paths.

What permissions does Claude Code need in production?

Claude Code needs read/write access to the project directory and execution access for your build and test toolchain. It does not need access to ~/.ssh/, cloud credential directories (~/.aws/, ~/.config/gcloud/), or system configuration files. In production or shared environments, apply deny-by-default filesystem policy and whitelist only the paths the agent genuinely needs. Shell command execution should be scoped to an allowlist — package managers, test runners, and build scripts — with anything touching credentials or outbound network calls requiring explicit human approval.

How do you enforce a Skill scanning policy across a large engineering team?

Enforcement needs to happen at two points: the repository and the runtime. In your CI pipeline, add a gate that runs Skill Sentinel against any PR that modifies files under agent configuration directories — fail the build on a scan finding, don't just warn. At the runtime level, configure your agent guardrail system to refuse to load any Skill file that lacks a current scan entry in your central manifest. That combination means a developer cannot ship a malicious Skill through code review, and cannot manually place an unscanned file on their machine and have the agent execute it. Policy that only runs in CI but not at runtime is trivially bypassed.

What compliance evidence does an AI coding agent audit trail need to produce?

For most compliance frameworks (SOC 2, ISO 27001, FedRAMP), you need to demonstrate that access to sensitive resources was controlled, logged, and attributable to a specific identity. For AI coding agents, that means: timestamped logs of every file the agent read, every command it executed, and every outbound request it made, attributed to the developer's identity, retained for at least 90 days (longer for regulated industries), and stored in a system the agent itself cannot modify. Incident response also requires the ability to reconstruct a complete session — not just individual events — so investigators can identify whether a sequence of individually-innocent actions constituted data exfiltration.

Top comments (0)